test: add command-level tests for env token auth branches

Cover the env-token-aware branches in status, logout, refresh, and
login commands to push patch coverage above 80%.

- status: 14 tests (env source display, hidden config path, no
  expiry/refresh for env tokens, credential verification, defaults)
- logout: 5 tests (env token blocks clear, correct env var name,
  fallback to SENTRY_AUTH_TOKEN)
- refresh: 6 tests (env token throws, no-refresh-token, success,
  still-valid, --json output)
- login: 1 new test (env token active → remove env var message)

Author: BYK

test/commands/auth/login.test.ts

@@ -63,6 +63,7 @@ function createContext() {
 
 describe("loginCommand.func --token path", () => {
   let isAuthenticatedSpy: ReturnType<typeof spyOn>;
+  let isEnvTokenActiveSpy: ReturnType<typeof spyOn>;
   let setAuthTokenSpy: ReturnType<typeof spyOn>;
   let getUserRegionsSpy: ReturnType<typeof spyOn>;
   let clearAuthSpy: ReturnType<typeof spyOn>;
@@ -73,17 +74,20 @@ describe("loginCommand.func --token path", () => {
 
   beforeEach(async () => {
     isAuthenticatedSpy = spyOn(dbAuth, "isAuthenticated");
+    isEnvTokenActiveSpy = spyOn(dbAuth, "isEnvTokenActive");
     setAuthTokenSpy = spyOn(dbAuth, "setAuthToken");
     getUserRegionsSpy = spyOn(apiClient, "getUserRegions");
     clearAuthSpy = spyOn(dbAuth, "clearAuth");
     getCurrentUserSpy = spyOn(apiClient, "getCurrentUser");
     setUserInfoSpy = spyOn(dbUser, "setUserInfo");
     runInteractiveLoginSpy = spyOn(interactiveLogin, "runInteractiveLogin");
+    isEnvTokenActiveSpy.mockReturnValue(false);
     func = (await loginCommand.loader()) as unknown as LoginFunc;
   });
 
   afterEach(() => {
     isAuthenticatedSpy.mockRestore();
+    isEnvTokenActiveSpy.mockRestore();
     setAuthTokenSpy.mockRestore();
     getUserRegionsSpy.mockRestore();
     clearAuthSpy.mockRestore();
@@ -92,7 +96,7 @@ describe("loginCommand.func --token path", () => {
     runInteractiveLoginSpy.mockRestore();
   });
 
-  test("already authenticated: prints message and returns early", async () => {
+  test("already authenticated (OAuth): prints re-auth message", async () => {
     isAuthenticatedSpy.mockResolvedValue(true);
 
     const { context, getStdout } = createContext();
@@ -103,6 +107,18 @@ describe("loginCommand.func --token path", () => {
     expect(getCurrentUserSpy).not.toHaveBeenCalled();
   });
 
+  test("already authenticated (env token): tells user to remove env var", async () => {
+    isAuthenticatedSpy.mockResolvedValue(true);
+    isEnvTokenActiveSpy.mockReturnValue(true);
+
+    const { context, getStdout } = createContext();
+    await func.call(context, { timeout: 900 });
+
+    expect(getStdout()).toContain("environment variable");
+    expect(getStdout()).toContain("Remove the env var");
+    expect(getStdout()).not.toContain("already authenticated");
+  });
+
   test("--token: stores token, fetches user, writes success", async () => {
     isAuthenticatedSpy.mockResolvedValue(false);
     setAuthTokenSpy.mockResolvedValue(undefined);

test/commands/auth/logout.test.ts

@@ -0,0 +1,148 @@
+/**
+ * Logout Command Tests
+ *
+ * Tests for the logoutCommand func() in src/commands/auth/logout.ts.
+ * Covers the env-token-aware branches added for headless auth support.
+ */
+
+import {
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  mock,
+  spyOn,
+  test,
+} from "bun:test";
+import { logoutCommand } from "../../../src/commands/auth/logout.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as dbAuth from "../../../src/lib/db/auth.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as dbIndex from "../../../src/lib/db/index.js";
+
+type LogoutFunc = (
+  this: unknown,
+  flags: Record<string, never>
+) => Promise<void>;
+
+function createContext() {
+  const stdoutLines: string[] = [];
+  const context = {
+    stdout: {
+      write: mock((s: string) => {
+        stdoutLines.push(s);
+      }),
+    },
+    stderr: {
+      write: mock((_s: string) => {
+        /* no-op */
+      }),
+    },
+    cwd: "/tmp",
+    setContext: mock((_k: string, _v: unknown) => {
+      /* no-op */
+    }),
+  };
+  return { context, getStdout: () => stdoutLines.join("") };
+}
+
+describe("logoutCommand.func", () => {
+  let isAuthenticatedSpy: ReturnType<typeof spyOn>;
+  let isEnvTokenActiveSpy: ReturnType<typeof spyOn>;
+  let getAuthConfigSpy: ReturnType<typeof spyOn>;
+  let clearAuthSpy: ReturnType<typeof spyOn>;
+  let getDbPathSpy: ReturnType<typeof spyOn>;
+  let func: LogoutFunc;
+
+  beforeEach(async () => {
+    isAuthenticatedSpy = spyOn(dbAuth, "isAuthenticated");
+    isEnvTokenActiveSpy = spyOn(dbAuth, "isEnvTokenActive");
+    getAuthConfigSpy = spyOn(dbAuth, "getAuthConfig");
+    clearAuthSpy = spyOn(dbAuth, "clearAuth");
+    getDbPathSpy = spyOn(dbIndex, "getDbPath");
+
+    clearAuthSpy.mockResolvedValue(undefined);
+    getDbPathSpy.mockReturnValue("/fake/db/path");
+
+    func = (await logoutCommand.loader()) as unknown as LogoutFunc;
+  });
+
+  afterEach(() => {
+    isAuthenticatedSpy.mockRestore();
+    isEnvTokenActiveSpy.mockRestore();
+    getAuthConfigSpy.mockRestore();
+    clearAuthSpy.mockRestore();
+    getDbPathSpy.mockRestore();
+  });
+
+  test("not authenticated: prints message and returns", async () => {
+    isAuthenticatedSpy.mockResolvedValue(false);
+
+    const { context, getStdout } = createContext();
+    await func.call(context, {});
+
+    expect(getStdout()).toContain("Not currently authenticated");
+    expect(clearAuthSpy).not.toHaveBeenCalled();
+  });
+
+  test("OAuth token: clears auth and shows success", async () => {
+    isAuthenticatedSpy.mockResolvedValue(true);
+    isEnvTokenActiveSpy.mockReturnValue(false);
+
+    const { context, getStdout } = createContext();
+    await func.call(context, {});
+
+    expect(clearAuthSpy).toHaveBeenCalled();
+    expect(getStdout()).toContain("Logged out successfully");
+    expect(getStdout()).toContain("/fake/db/path");
+  });
+
+  test("env token (SENTRY_AUTH_TOKEN): does not clear auth, shows env var message", async () => {
+    isAuthenticatedSpy.mockResolvedValue(true);
+    isEnvTokenActiveSpy.mockReturnValue(true);
+    getAuthConfigSpy.mockReturnValue({
+      token: "sntrys_env_123",
+      source: "env:SENTRY_AUTH_TOKEN",
+    });
+
+    const { context, getStdout } = createContext();
+    await func.call(context, {});
+
+    expect(clearAuthSpy).not.toHaveBeenCalled();
+    expect(getStdout()).toContain("SENTRY_AUTH_TOKEN");
+    expect(getStdout()).toContain("environment variable");
+    expect(getStdout()).toContain("Unset");
+  });
+
+  test("env token (SENTRY_TOKEN): shows correct env var name", async () => {
+    isAuthenticatedSpy.mockResolvedValue(true);
+    isEnvTokenActiveSpy.mockReturnValue(true);
+    getAuthConfigSpy.mockReturnValue({
+      token: "sntrys_token_456",
+      source: "env:SENTRY_TOKEN",
+    });
+
+    const { context, getStdout } = createContext();
+    await func.call(context, {});
+
+    expect(clearAuthSpy).not.toHaveBeenCalled();
+    expect(getStdout()).toContain("SENTRY_TOKEN");
+    expect(getStdout()).not.toContain("SENTRY_AUTH_TOKEN");
+  });
+
+  test("env token: falls back to SENTRY_AUTH_TOKEN if source is unexpected", async () => {
+    isAuthenticatedSpy.mockResolvedValue(true);
+    isEnvTokenActiveSpy.mockReturnValue(true);
+    // Simulate edge case: source doesn't start with "env:" prefix
+    getAuthConfigSpy.mockReturnValue({
+      token: "sntrys_token",
+      source: "oauth",
+    });
+
+    const { context, getStdout } = createContext();
+    await func.call(context, {});
+
+    // Falls back to "SENTRY_AUTH_TOKEN" as default
+    expect(getStdout()).toContain("SENTRY_AUTH_TOKEN");
+  });
+});

test/commands/auth/refresh.test.ts

@@ -0,0 +1,164 @@
+/**
+ * Refresh Command Tests
+ *
+ * Tests for the refreshCommand func() in src/commands/auth/refresh.ts.
+ * Covers the env-token guard and the main refresh flow.
+ */
+
+import {
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  mock,
+  spyOn,
+  test,
+} from "bun:test";
+import { refreshCommand } from "../../../src/commands/auth/refresh.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as dbAuth from "../../../src/lib/db/auth.js";
+import { AuthError } from "../../../src/lib/errors.js";
+
+type RefreshFlags = { readonly json: boolean; readonly force: boolean };
+type RefreshFunc = (this: unknown, flags: RefreshFlags) => Promise<void>;
+
+function createContext() {
+  const stdoutLines: string[] = [];
+  const context = {
+    stdout: {
+      write: mock((s: string) => {
+        stdoutLines.push(s);
+      }),
+    },
+    stderr: {
+      write: mock((_s: string) => {
+        /* no-op */
+      }),
+    },
+    cwd: "/tmp",
+    setContext: mock((_k: string, _v: unknown) => {
+      /* no-op */
+    }),
+  };
+  return { context, getStdout: () => stdoutLines.join("") };
+}
+
+describe("refreshCommand.func", () => {
+  let isEnvTokenActiveSpy: ReturnType<typeof spyOn>;
+  let getAuthConfigSpy: ReturnType<typeof spyOn>;
+  let refreshTokenSpy: ReturnType<typeof spyOn>;
+  let func: RefreshFunc;
+
+  beforeEach(async () => {
+    isEnvTokenActiveSpy = spyOn(dbAuth, "isEnvTokenActive");
+    getAuthConfigSpy = spyOn(dbAuth, "getAuthConfig");
+    refreshTokenSpy = spyOn(dbAuth, "refreshToken");
+    func = (await refreshCommand.loader()) as unknown as RefreshFunc;
+  });
+
+  afterEach(() => {
+    isEnvTokenActiveSpy.mockRestore();
+    getAuthConfigSpy.mockRestore();
+    refreshTokenSpy.mockRestore();
+  });
+
+  test("env token active: throws AuthError with descriptive message", async () => {
+    isEnvTokenActiveSpy.mockReturnValue(true);
+
+    const { context } = createContext();
+
+    try {
+      await func.call(context, { json: false, force: false });
+      expect.unreachable("should have thrown");
+    } catch (err) {
+      expect(err).toBeInstanceOf(AuthError);
+      expect((err as AuthError).message).toContain(
+        "Cannot refresh an environment variable token"
+      );
+    }
+
+    expect(refreshTokenSpy).not.toHaveBeenCalled();
+  });
+
+  test("no refresh token: throws AuthError about missing refresh token", async () => {
+    isEnvTokenActiveSpy.mockReturnValue(false);
+    getAuthConfigSpy.mockReturnValue({
+      token: "manual_token",
+      source: "oauth",
+    });
+
+    const { context } = createContext();
+
+    try {
+      await func.call(context, { json: false, force: false });
+      expect.unreachable("should have thrown");
+    } catch (err) {
+      expect(err).toBeInstanceOf(AuthError);
+      expect((err as AuthError).message).toContain("No refresh token");
+    }
+  });
+
+  test("successful refresh: shows success message", async () => {
+    isEnvTokenActiveSpy.mockReturnValue(false);
+    getAuthConfigSpy.mockReturnValue({
+      token: "old_token",
+      source: "oauth",
+      refreshToken: "refresh_abc",
+    });
+    refreshTokenSpy.mockResolvedValue({
+      token: "new_token",
+      refreshed: true,
+      expiresIn: 3600,
+      expiresAt: Date.now() + 3_600_000,
+    });
+
+    const { context, getStdout } = createContext();
+    await func.call(context, { json: false, force: false });
+
+    expect(getStdout()).toContain("Token refreshed successfully");
+    expect(getStdout()).toContain("1 hour");
+  });
+
+  test("token still valid: shows still-valid message", async () => {
+    isEnvTokenActiveSpy.mockReturnValue(false);
+    getAuthConfigSpy.mockReturnValue({
+      token: "current_token",
+      source: "oauth",
+      refreshToken: "refresh_abc",
+    });
+    refreshTokenSpy.mockResolvedValue({
+      token: "current_token",
+      refreshed: false,
+      expiresIn: 1800,
+    });
+
+    const { context, getStdout } = createContext();
+    await func.call(context, { json: false, force: false });
+
+    expect(getStdout()).toContain("Token still valid");
+    expect(getStdout()).toContain("--force");
+  });
+
+  test("--json: outputs JSON for successful refresh", async () => {
+    isEnvTokenActiveSpy.mockReturnValue(false);
+    getAuthConfigSpy.mockReturnValue({
+      token: "old_token",
+      source: "oauth",
+      refreshToken: "refresh_abc",
+    });
+    refreshTokenSpy.mockResolvedValue({
+      token: "new_token",
+      refreshed: true,
+      expiresIn: 3600,
+      expiresAt: Date.now() + 3_600_000,
+    });
+
+    const { context, getStdout } = createContext();
+    await func.call(context, { json: true, force: false });
+
+    const parsed = JSON.parse(getStdout());
+    expect(parsed.success).toBe(true);
+    expect(parsed.refreshed).toBe(true);
+    expect(parsed.expiresIn).toBe(3600);
+  });
+});